Atlas 권한 부여 및 인증에 대한 지침

locals {
  tags = {
       CreatedBy = "Terraform"
       Owner     = var.owner
       Module    = "tf-example-oidc-azure"
       Name      = var.project_name
  }
}
resource "azurerm_resource_group" "this" {
  name     = var.project_name
  location = var.location
  tags     = local.tags
}
resource "azurerm_virtual_network" "this" {
  name                = var.project_name
  address_space       = ["10.0.0.0/16"]
  location            = azurerm_resource_group.this.location
  resource_group_name = azurerm_resource_group.this.name
  tags                = local.tags
}
resource "azurerm_subnet" "internal" {
  name                 = "internal"
  resource_group_name  = azurerm_resource_group.this.name
  virtual_network_name = azurerm_virtual_network.this.name
  address_prefixes     = ["10.0.2.0/24"]
}
resource "azurerm_public_ip" "vm-public-ip" {
  name                = "public-ip-${var.project_name}"
  location            = var.location
  resource_group_name = azurerm_resource_group.this.name
  allocation_method   = "Dynamic"
  domain_name_label   = var.project_name
  tags                = local.tags
}
resource "azurerm_network_interface" "this" {
  name                = "ip-${var.project_name}"
  location            = var.location
  resource_group_name = azurerm_resource_group.this.name
  tags                = local.tags
  ip_configuration {
       subnet_id                     = azurerm_subnet.internal.id
       name                          = "public"
       private_ip_address_allocation = "Dynamic"
       public_ip_address_id          = azurerm_public_ip.vm-public-ip.id
  }
}
resource "azurerm_user_assigned_identity" "this" {
  location            = var.location
  name                = var.project_name
  resource_group_name = azurerm_resource_group.this.name
  tags                = local.tags
}
resource "azurerm_linux_virtual_machine" "this" {
  name                  = var.project_name
  resource_group_name   = azurerm_resource_group.this.name
  location              = var.location
  size                  = "Standard_F2"
  admin_username        = var.vm_admin_username
  custom_data           = data.cloudinit_config.this.rendered
  network_interface_ids = [azurerm_network_interface.this.id]
  tags                  = local.tags
  admin_ssh_key {
       username   = var.vm_admin_username
       public_key = var.ssh_public_key
  }
  source_image_reference {
       publisher = "Canonical"
       offer     = "0001-com-ubuntu-server-jammy"
       sku       = "22_04-lts"
       version   = "latest"
  }
  os_disk {
       storage_account_type = "Standard_LRS"
       caching              = "ReadWrite"
       disk_size_gb         = 30
  }
  identity {
       type = "UserAssigned"
       identity_ids = [azurerm_user_assigned_identity.this.id]
  }
}

variable "user" {
  description = "MongoDB Atlas User"
  type        = list(string)
  default     = ["dbuser1", "dbuser2"]
}
variable "database_name" {
  description = "The Database in the cluster"
  type        = list(string)
}
variable "org_id" {
  description = "MongoDB Organization ID"
  type        = string
}
variable "project_id" {
  description = "MongoDB Atlas Project ID"
  type        = string
}
variable "connection_strings" {
  description = "List of MongoDB connection strings to the cluster"
  type        = list(string)
}
variable "token_audience" {
  description = "The token audience used by the OIDC identity provider"
  type        = string
  default     = "https://management.azure.com/"  # Example audience
}
variable "trusted_domains" {
  description = "List of associated domains to trust"
  type        = list(string)
  default     = ["myOrg.com", "another-trusted-domain.org"] # Example domains
}

org_id             = "32b6e34b3d91647abb20e7b8"
project_id         = "67212db237c5766221eb6ad9"
user               = ["testUser"]
database_name      = ["myTestDb"]
connection_strings = ["mongodb+srv://cluster0.mongodb.net"]
token_audience     = "https://management.azure.com/"
trusted_domains    = ["myOrg.com", "example-domain.org"]

locals {
  test_user_password = random_password.password.result
}
# Generates 12 characters long random password without special characters
resource "random_password" "password" {
  length  = 12
  special = false
}
resource "mongodbatlas_database_user" "user1" {
  username           = var.user[0]
  password           = local.test_user_password
  project_id         = var.project_id
  auth_database_name = "admin"
  scopes             = var.clusters[0]
  roles {
    role_name     = "readWriteAny"
    database_name = var.database_name[0]
  }
}
output "user1" { value = mongodbatlas_database_user.user1.username }
output "userpwd" { value = mongodbatlas_database_user.user1.password sensitive = true }

# Connection string to use in this configuration
locals {
  mongodb_uri = var.connection_strings[0]
}
# Fetch MongoDB Atlas Federated Settings
data "mongodbatlas_federated_settings" "this" {
  org_id = var.org_id
}
# Configure an identity provider for federated authentication
resource "mongodbatlas_federated_settings_identity_provider" "oidc" {
  federation_settings_id = data.mongodbatlas_federated_settings.this.id
  associated_domains     = var.trusted_domains
  audience               = var.token_audience
  authorization_type     = "USER"
  description            = "OIDC Identity Provider for Azure AD"
  # Replace with actual Azure Tenant ID
  issuer_uri = "https://sts.windows.net/${data.azurerm_client_config.current.tenant_id}/"
  idp_type   = "WORKFORCE"
  name       = "OIDC-for-azure"
  protocol   = "OIDC"
  user_claim = "sub" # Claim to extract the user's principal identity
}
resource "mongodbatlas_federated_settings_org_config" "this" {
  federation_settings_id            = data.mongodbatlas_federated_settings.this.id
  org_id                            = var.org_id
  domain_restriction_enabled        = false
  domain_allow_list                 = []
  data_access_identity_provider_ids = [mongodbatlas_federated_settings_identity_provider.oidc.idp_id]
}
# Create an OIDC-authenticated Database User
resource "mongodbatlas_database_user" "oidc" {
  project_id         = var.project_id
  username           = "${mongodbatlas_federated_settings_identity_provider.oidc.idp_id}/${data.azurerm_client_config.current.client_id}"
  oidc_auth_type     = "USER"
  auth_database_name = "$external" # Required when using OIDC for USER authentication
  roles {
    role_name     = "atlasAdmin"
    database_name = "admin"
  }
}
# Azure-specific data source needed for Tenant ID and Client ID
data "azurerm_client_config" "current" {}

output "vm_fqdn" {
  value       = azurerm_public_ip.vm-public-ip.fqdn
  description = "Fully Qualified Domain Name (FQDN) of the Virtual Machine (VM)"
}
output "ssh_connection_string" {
  value       = "ssh ${var.vm_admin_username}@${azurerm_public_ip.vm-public-ip.fqdn}"
  description = "Useful for connecting to the instance"
}
output "user_test_conn_string" {
  value       = "mongodb+srv://${var.user[0]}:<password>@${replace(local.mongodb_uri, "mongodb+srv://", "")}/?retryWrites=true"
  description = "Connection string for testing regular database user access"
  sensitive   = true
}
output "user_oidc_conn_string" {
  value       = "mongodb+srv://${mongodbatlas_database_user.oidc.username}:<OIDCToken>@${replace(local.mongodb_uri, "mongodb+srv://", "")}/?authMechanism=MONGODB-OIDC&retryWrites=true"
  description = "Connection string for OIDC-authenticated user"
  sensitive   = true
}

resource "mongodbatlas_database_user" "admin_user" {
  project_id = "6698000acf48197e089e4085"
  username = "adminUser"
  password = "securePassword"  # Use a secure password
  auth_database_name = "admin"
  roles {
    role_name     = "atlasAdmin"  # Admin role for the cluster
    database_name = "admin"
  }
  roles {
    role_name     = "readWriteAnyDatabase"  # Project member rights
    database_name = "admin"
  }
}